自定义JWT令牌以在Spring授权服务器1.0.0中添加userId。

huangapple go评论69阅读模式
英文:

Customize JWT token to add userId in Spring authorization server 1.0.0

问题

我是新手,对于Spring Security和Spring Authorization Server还不熟悉。我想要自定义JWT访问令牌,以在生成的令牌中包含额外的userId参数。

我正在使用Spring Authorization Server 1.0.0版本,而OAuth2TokenEndpointFilter是final类,因此无法重写它。请问有人能指导我应该配置哪个类,或者如何完成这个任务?

英文:

I am new to spring security and spring authorization server. I wanted to customized the JWT access token to include additional parameter of userId within token generated.

I am using spring-authorization-server 1.0.0 and OAuth2TokenEndpointFilter is final class, hence unable to override it. Can someone guide me on which class needs to be configured or how this can be done?

答案1

得分: 1

请查看OAuth2TokenCustomizer 的参考。它允许在构建 JWT 之前访问 JWT 的声明,因此您可以根据需要进行自定义。

请注意,如果您想自定义特定令牌,此组件会传递context.getTokenType(),因此您可以添加一个 if 语句,只定制 access_token。请参阅如何:定制 UserInfo 端点 以获取示例(该示例自定义 id_token)。

更新:

为了添加动态值(如userId),您显然需要获取要添加的值。您可以访问与授权关联的Principal,如下例所示:

@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
	return (context) -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			UsernamePasswordAuthenticationToken authentication = context.getPrincipal();
			User user = (User) authentication.getPrincipal();

			context.getClaims().claim("userId", ((CustomUser) user).getId());
		}
	};
}

这假设您创建了一个带有idCustomUser

如果您需要查找值,这与任何其他 Spring 应用程序没有区别。您应该注入所需的 bean 执行查找:

@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer(CustomRepository repo) {
	return (context) -> {
		// ...
	};
}

您如何使用注入的 bean 取决于您。context上还有其他方法,如context.getAuthorization()(返回OAuth2Authorization)以获取有关当前授权的更多上下文,如果需要的话。

英文:

Take a look at the OAuth2TokenCustomizer in the reference. It gives access to the claims of the JWT before it is built, so you can customize however you need to.

Note that if you want to customize a specific token, this component is passed the context.getTokenType() so you can add an if-statement to only customize the access_token. See How-to: Customize the UserInfo Endpoint for an example (which customizes the id_token).


Update:

In order to add a dynamic value (such as a userId), you obviously would need to get the value to add. You might access the Principal associated with the authorization to do this, as in the following example:

@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer() {
	return (context) -> {
		if (OAuth2TokenType.ACCESS_TOKEN.equals(context.getTokenType())) {
			UsernamePasswordAuthenticationToken authentication = context.getPrincipal();
			User user = (User) authentication.getPrincipal();

			context.getClaims().claim("userId", ((CustomUser) user).getId());
		}
	};
}

This assumes you created a CustomUser with an id.

If you need to look up a value, it's no different than any other Spring application. You should inject the bean you need to perform the lookup:

@Bean
public OAuth2TokenCustomizer<JwtEncodingContext> tokenCustomizer(CustomRepository repo) {
	return (context) -> {
		// ...
	};
}

How you use the injected bean is up to you. There are additional methods on the context such as context.getAuthorization() (returns the OAuth2Authorization) to get more context about the current authorization if needed.

huangapple
  • 本文由 发表于 2023年5月17日 15:42:13
  • 转载请务必保留本文链接:https://go.coder-hub.com/76269631.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定